Self Improving Agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for agent learning, but it documents broad always-on hooks and persistent memory updates that can affect many sessions and projects.

Install only if you intentionally want a persistent agent-learning layer. Prefer project-local setup, avoid global hooks, review the hook scripts before enabling them, and require explicit approval before saving anything from prompts, tool output, errors, credentials, personal data, or proprietary code into durable memory files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill description focuses on logging learnings, but the referenced resources indicate additional behavior such as hooks that inject reminders into agent context, inspect tool output, and scaffold files. This mismatch reduces transparency and can cause operators to enable broader monitoring and file-generation capabilities than they intended, which is a security-relevant trust and scope issue even if the underlying goal is operationally helpful.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document claims the scripts only output text and do not run commands, yet the configured hook mechanism explicitly executes shell scripts as commands. This is dangerous because it downplays the trust boundary and may cause users to enable code execution hooks under a false sense of safety, increasing the chance of unintended local command execution in agent sessions.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The invocation guidance is very broad: errors, corrections, capability gaps, and repeated workarounds are common events in normal operation. Without tighter boundaries, this can lead to over-collection of session content into persistent workspace memory, increasing the chance of storing sensitive data, irrelevant history, or unreviewed behavioral rules that influence future runs.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The default prompt uses broad language ('log important learnings' and 'promote reusable patterns to workspace memory') without clear guardrails on when the skill should be invoked or what data may be persisted. In a self-improving skill, this can cause over-triggering and unnecessary retention of sensitive prompts, errors, or user corrections into persistent memory, expanding the blast radius of mistakes or prompt-injection content.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: An empty matcher causes the hook to run on every prompt, creating a broad always-on trigger surface. In a self-improving agent skill, that increases exposure to prompt-driven side effects, unnecessary command execution, and persistence of behavior across normal workflows where the hook is not needed.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The user-level configuration recommends global activation, which extends the broad trigger across all sessions and repositories. That makes accidental execution and collection more likely, and increases the blast radius if the scripts are modified, replaced, or behave unexpectedly in unrelated projects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal